Congress Approves New DHS Cybersecurity AgencyBill Creating Cybersecurity and Infrastructure Security Agency Awaits President's Signature
The United States will soon officially have a single agency that takes the lead role for cybersecurity.
Congress has passed legislation to establish a new cybersecurity agency within the Department of Homeland Security. The House on Tuesday unanimously passed the measure, the CISA Act, which won Senate approval earlier. It now awaits President Trump's signature.
The new Cybersecurity and Infrastructure Security Agency will have the same stature as other units within DHS, such as the U.S. Secret Service or Federal Emergency Management Agency. The National Protection and Programs Directorate, or NPPD, will be reorganized into the new agency.
"With the advent of the CISA, Congress ought to look at how we actually manage enterprise risk across the federal government."
—Former Federal CISO Gregory Touhill
"The cyber threat landscape is constantly evolving, and we need to ensure we're properly positioned to defend America's infrastructure from threats digital and physical," says DHS Secretary Kirstjen M. Nielsen. "It was time to reorganize and operationalize NPPD into the Cybersecurity and Infrastructure Security Agency."
Christopher Krebs, who heads NPPD, adds: "Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations and giving NPPD a name that reflects what it actually does will help better secure the nation's critical infrastructure and cyber platforms. The changes will also improve the department's ability to engage with industry and government stakeholders and recruit top cybersecurity talent."
One of NPPD's most significant missions has been to oversee cybersecurity among federal government civilian agencies - the .gov domain - and to coordinate IT security initiatives with other entities, such as state, local, tribal and territorial governments as well as the private sector, including the operators of the nation's critical infrastructure. It has worked with the states to protect digital election infrastructure from sabotage following Russian interference in the 2016 election.
"This is a very substantial initiative on the part of Congress and the Department of Homeland Security," says Mac McMillan, CEO of the security consultancy CynergisTek, who spent 20 years at the Department of Defense, most recently at the Defense Threat Reduction Agency.
"Creating an actual agency, with leadership, staff, budget, facilities, etc., is a significant commitment to addressing the cybersecurity issue and protection of critical infrastructure in this country. This is the commitment of taxpayer dollars and resources to address an important issue. It creates a centralized hub for coordinating efforts across the government and prioritizing programs."
Tom Kellermann, the chief cybersecurity officer at Carbon Black who formerly served on the Commission on Cyber Security for the 44th President of the United States, notes: "The Achilles heel of America is her cybersecurity posture. This new agency represents a cosmic shift in governance toward civilizing American cyberspace."
Much greater emphasis must be placed on insulating critical infrastructures from cyber intrusions, he contends. "The growing threat posed by nation-states underscores the need for the United States government to get on a more proactive footing. DHS has been elevating their game under the leadership of Krebs."
Still Lots of Work to Do
Retired Brigadier General Gregory Touhill, who was appointed by President Obama as the first CISO of the federal government, says the passing of this legislation "is a step forward and culminates a long process that started several years ago. Not only does it retire what was arguably the worst and least descriptive organizational name in government - the National Protection and Programs Directorate - it formally charters the agency responsible for the nation's cybersecurity."
But Touhill, who now serves as president of Cyxtera Federal Group, an IT consultancy serving federal agencies, says the government still has a lot of work to do.
"The new agency still has a lot of personnel gaps and needs to continue to mature its ability to recruit and retain the coveted highly skilled cyber technical personnel needed to properly execute the mission," he says.
Various government agencies that deal with cybersecurity, including the new CISA as well as the FBI, the U.S. Cyber Command and others, "still have a lot of uneven seams and overlaps," he contends. "I anticipate that Congress will need to address those issues in subsequent legislation."
The former federal CISO adds: "With the advent of the CISA, Congress ought to look at how we actually manage enterprise risk across the federal government. Right now, current legislation calls for every department and agency to independently operate their information technology enterprises and manage their own cyber risk. That construct results in huge cyber risk, as strategically important small government entities are tasked to produce the same cyber protection capabilities as large and very well-funded agencies."
Congress ought to consider "strengthening the role of the U.S. CISO, formally establishing and empowering the U.S. CISO position, and directing the administration to create a plan on how to implement an enterprise .gov domain that produces results that are effective, efficient and secure," Touhill says. "Looking at best practices in the private sector, I recommend an enterprise that is centrally controlled yet incorporates decentralized execution."